The payment industry has a long tradition of outsourcing, partnering, and collaborating across a wide set of organisations. Many parties are involved each time a customer buys something with a plastic card, pays a bill or sends funds overseas. The wider
business world is waking up to the concept of the extended enterprise. This is when several organisations work together to achieve something that none of them could have realised alone.
Collaboration is one of the strengths of the payment industry. Third party collaboration can be massively beneficial to all parties involved but it may also bring with it a greater sense of security risk. After all, a partnership is only as strong as its
weakest link, so if one partner has a weaker security set-up than the others it can be a danger to all parties.
Unlike a traditional supply chain, where value – and risk – travels up and down a set of organisations in a linear fashion, the extended enterprise is a complex network of relationships. Risks arise from the underlying outsourced activity, but also from
involvement with third parties. Being interconnected, all organisations are affected by the culture and practices of others in their network.
Indeed, in one high-profile case, attackers breached the security of a large US retailer via their air-conditioning vendor and stole the data of millions of credit and debit cards. This type of risk is hard to monitor for, short of completely self-isolating
your business from others, which is very difficult, however this risk can be managed.
Effective risk management within an extended enterprise is no longer merely understanding your organisation’s supply chain in a linear fashion and managing it as such. It’s about understanding the network of different relationships your organisation may
be part of, and how you manage the risks that arise together.
PCI SSC issue guidance
Back in August 2014, the Payment Card Industry Security Standards Council (PCI SSC) released Information Supplement: Third-Party Security Assurance to help organisations and their business partners reduce risk by better understanding their roles in securing
card data.
The PCI SSC defines a ‘third-party service provider’ as an entity that is not a payment brand (i.e. card scheme) directly involved in the processing, storage or transmission of cardholder data on behalf of another entity.
Various businesses could fall into this category, depending on the services they provide. For example, those securing cardholder data, installing or otherwise supporting point of sale equipment, protecting the cardholder data environment (e.g. at a data
centre), or those who may have incidental access to cardholder data or the data environment, such as providers of managed IT services.
The PCI SSC makes clear that the use of third-party service providers does not relieve an organisation of ultimate responsibility for its data security compliance. Nor does it exempt them from accountability and the obligation for ensuring that its cardholder
data and cardholder data environment are secure.
So, while an organisation may outsource a function, it cannot outsource the responsibility or liability for PCI compliance.
Four steps for managing third-party risk
The PCI SSC’s Information Supplement: Third-Party Security Assurance has set out a four step guide to help businesses trying to manage their third-party service providers. The guide has been designed to be used throughout the lifecycle of the relationship
and its steps are as follows:
1. Due diligence
This includes determining the scope of the services provided and conducting due diligence on the prospective partner. This involves investigating the financial stability of the partner, its reputation, experience in providing the proposed services and so
on, as with any tender.
Organisations should also conduct a risk assessment to understand the level of risk associated with engaging the partner and inform the mitigating controls. Areas to assess include security governance, physical security, access authorisation, incident response,
malware, segregation and security controls.
2. Engagement
Setting expectations, being clear on roles and responsibilities and effective communication are critical as a basis for good risk management throughout the engagement. Organisations may also have to request evidence and obtain information about PCI DSS compliance
from their third parties at this stage.
3. Written agreements, policies and procedures
Document agreements with third parties in writing. This seems obvious but organisations have encountered difficulties when third parties have outsourced services they have agreed to provide. The risks of these nested or downstream relationships can be hard
to control, especially if your organisation is unaware of them.
Evaluate all national, state and industry-specific requirements that may apply. Include specific provisions around breach notification, termination of contract, post-termination considerations and what happens if the third party loses their PCI DSS compliance
status.
4. Maintaining relationships and monitoring
Third party relationships are potentially significant, so dedicate sufficient resource across your organisation to managing them. This will involve almost every function of your organisation, such as colleagues in the legal, finance and IT departments, as
well as those in front-line risk management and procurement.
Establish and maintain a monitoring programme for third-party compliance with PCI DSS. Undertake regular reviews with third parties. Share business plans and changes in strategic direction and encourage them to do likewise.
By understanding and following these four steps, third-party risk should be better managed, reducing the chances of a malicious cyber-attack succeeding. Collaboration is so vital to any industry and mitigating any risks brought about because of it should
always be one of the top priorities of a company. That way, it ensures that everyone will have a safe and beneficial partnership the helps every company involved meet their goals, without fear of security risks.